Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.

What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.

The following chart is a histogram. It groups IP addresses by the number of times they attacked. As you can see by the spike on the left, the most common number of attacks was around 100 to 200 for an IP address. Few of the attacking IPs generated more than 2,000 attacks during the entire month of March, 2017.

We wanted to learn more about these attacking IPs, so we dug a little deeper.

A Botnet Using Burst Attacks

We extracted the list of Algerian attack IPs and we included the time of first attack logged and the time of last attack logged. The majority of the IPs spent just a few hours attacking and then stopped for the rest of the month. The histogram below shows how many IPs spent less than a day (shown as 0) attacking compared to those that spent 1 or more days. As you can see over 7,000 IPs spent just a few hours attacking during March before they stopped.

These IPs switch on, perform a few attacks and then switch off and aren’t heard from again for a month. What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.

The attacker controlling this botnet is using several evasive techniques. They are spreading their attacks across a very large number of IP addresses. They are using low frequency attacks to avoid being blocked. They are also spreading their attacks across a large number of WordPress sites.

These evasive techniques indicate a higher level of sophistication than we see from, for example, “PP Sks-Lugan” which we’ve written about in the past where we see a single IP generating millions of attacks.

Hacked Home Routers Hacking WordPress

When we looked at who owns each of the attacking IPs in Algeria, we found, over 97% of them are owned by Telecom Algeria. There are approximately 30 different ISPs in Algeria. We do see some attacks from other networks, but nothing compared to the volume that originates from Telecom Algeria.

The attacks we saw in March originated from the following networks:

41.96.0.0/12 which ranges from 41.96.0.0 to 41.111.255.255 had 4671 attacking IPs in March.

105.96.0.0/12 which ranges from 105.96.0.0 to 105.111.255.255 had 4591 attacking IPs in March.

154.240.0.0/12 which ranges from 154.240.0.0 to 154.255.255.255 had 715 attacking IPs in March.

197.112.0.0/13 which ranges from 192.112.0.0 to 197.119.255.255 had 401 attacking IPs in March.

It appears that attackers have exploited home routers on Algeria’s state owned telecommunications network and are using the exploited routers to attack WordPress websites globally.

Other ISPs With Vulnerable Routers

Algeria drew our attention because its country ranking jumped from 60 to 24 in our top attacking countries for March. Once we took a closer look at the attacking IPs, we were able to identify a specific pattern of behavior for these attack IPs:

They generally attack for less than 48 hours and then stop.

Most of them generate less than 1000 attacks.

There is usually a large number of attacking IPs on a single ISP.

By searching for similar patterns, we found that there are several other ISPs that seem to have the same problem that Telecom Algeria has.

BSNL – India

BSNL is a state owned telecommunications provider in India. During March we saw attacks from 11,495 IPs on their network.

In a survey of BSNLs network, we found that:

11,495 IPs on BSNLs network attacked WordPress sites in March.

Out of those attacking IPs, 4857 IPs also have port 7547 open.

We found that 1635 of the IPs that attacked WordPress sites are also running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)” which is vulnerable.

PLDT aka. Philippine Long Distance Telephone

PLDT is the largest telecommunications provider and digital services company in the Philippines.

In a survey of PLDT’s network we found that:

3697 IPs on their network attacked WordPress sites in March.

1612 of those attacking IPs on PLDTs network have port 7547 open.

137 of those IPs are running “Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)” which is vulnerable to remote exploitation.

Once we could identify the attack pattern of compromised routers, we searched for other ISPs where the attack patterns fit the same criteria. That is, low frequency of attacks, each IP attacks for less than 48 hours and a large number of IPs are attacking WordPress sites from a specific ISP.

This is the full list of ISPs we found globally where attacks that match this criteria are originating from. Notice the low “average attacks per IP column” on the right of the table (scroll right) and the large number of attacking IPs per ISP.

What is port 7547 and TR-069 and why is it a problem?

Port 7547 is a management port on home routers. It allows ISPs to manage the routers that their customers use on their home networks. It uses a protocol called TR-069 to provide a management interface. The TR-069 protocol can be used to provision devices, provide tech support and remote management, monitor routers for faults, for diagnostics, to replace a faulty configuration and to deploy upgraded firmware.

This protocol and port has had at least two serious security vulnerabilities associated with it in the past 4 years.

We have already mentioned the misfortune cookie vulnerability which targets management port 7547 and which some of the ISPs above are suffering from. RomPager version 4.07 suffers from the misfortune cookie vulnerability. In the ISPs that we are seeing attacks originating from, 14 out of 28 ISPs have remotely accessible routers that have a vulnerable version of RomPager version 4.07 on port 7547

6.7% of Attacks on WordPress Sites are from Home Routers with Port 7547 Open

In addition to the network surveys we did on ISPs from which attacks are originating, we also surveyed 865,467 additional IP addresses which have engaged in brute force or complex attacks during the past 3 days. Out of those, 57,971 have port 7547 open indicating that they are home routers from which attacks are originating.

That means that 6.7% of all attacks on WordPress sites that we protect, during the past 3 days, came from home routers that have port 7547 open.

Shodan, an internet survey search engine, currently shows that over 41 million devices on the Internet are listening on port 7547. The TR-069 protocol is widely used among ISPs world-wide.

The Security Risk to Home Users

If a home router is successfully exploited, an attacker can access your internal home network. They have penetrated any firewall function that the router provides and can also bypass router network address translation. This enables them to exploit internal targets like workstations, mobile devices using WiFi and IoT devices like home climate control systems and home cameras.

We are already seeing bulk exploitation of TR-069 which has turned home routers into a botnet attacking WordPress sites. It is quite feasible that home network exploitation is already underway as well.

Security Risk to the Internet at Large

OVH was hit by a 1 Terabyte DDoS attack in September last year, one of the largest in history. Approximately 152,000 IOT (Internet of Things) devices that had been compromised generated the traffic in that attack.

In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites. We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.

At this point it would not be a stretch to say that vulnerabilities in TR-069 may have created a very large botnet which could soon generate the largest DDoS attack the Internet has ever seen.

How ISPs can help

Exposing port 7547 to the public Internet gives attackers the opportunity to exploit vulnerabilities in the TR-069 protocol. ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547. The only traffic that should be allowed is traffic from their own Auto Configuration Servers or ACS servers to and from customer equipment.

There are already a large number of compromised routers out there. ISPs should immediately start monitoring traffic patterns on their own networks for malicious activity to identify compromised routers. They should also force-update their customers to firmware that fixes any vulnerabilities and removes malware.

What we are doing

At Wordfence we run a real-time IP blacklist for our premium customers. We are adjusting our blacklist algorithms to identify and include IP addresses that engage in these kinds of attacks. We are also working to create awareness among ISPs and security professionals about the risk that TR-069 presents and how they can help to mitigate that risk.

I would very much like to believe that. Unfortunately the reality is very different. Here are just a few of the ports we found open on the ISPs from which attacks are originating, including what service they're running based on their banner. You'll also notice in our post that Zyxel Zywall is actually firewall software and that's what has the Misfortune Cookie vulnerability. So in this case the firewall is what the attackers use to gain entry.

What about those of us in the US ... should we be worried about the vulnerability of our routers based on what companies here here are doing? And what (if anything) can we do to protect our home network?

One thing to check is if your routers port 7547 is open from the outside. I didn't have time to create a utility to check this, but let me know if there is interest and we can put that together. If port 7547 is open to outsiders, it does not indicate that you are vulnerable, but it does indicate that outsiders can access a service that should only be available to your ISP for management purposes.

Come to think of it we could also banner-grab the port and show you what your router is running.

I create/maintain local business WP websites for a living and pride myself on delivering secured, safe WordPress sites that are constantly monitored and updated. I depend on Wordfence (along with a few other plugins) to help keep my client's sites protected.
It is important to be aware of all the plausible dangers out there and your blog/news updates are invaluable to my staying on top of things. I'm not a full out coder so having things explained in "layman's terms" is important to me... you do that well!
THANKS for continually keeping users and providers like myself up to date on what is going on in that big bad world of WP hacking!

You go to great lengths to explain where the vulnerability is on the router side, however (and perhaps I missed it) I did not get a good understanding of what the attacks were attempting to do on the wordpress sites and whether I should be worried about it. Can you please elaborate.

Thanks Ruan. Yes that was an omission. We are seeing mostly brute force attacks and a small percentage of complex attacks. The brute force attacks target both wp-login.php (the traditional login endpoint for WordPress) and also XMLRPC login. Let me know if that helps.

Do you think that ISPs are able to force-update their customers to firmware that fixes any vulnerabilities and removes malware and yet allows then to keep their hardware? If consumers have to swap out hardware, I can see this being an uphill struggle, would you agree?

Is it all or only some hardware that can accept a firmware upgrade or is it a given that all routers can accept a firmware update that would close off the port?

I don't have a complete answer for you but here are a few observations based on my recent research:

1. Port 7547 is actually the management port that ISPs would use to remotely update your firmware.
2. Some attackers infect routers and actually close off this port behind them, which would prevent firmware updates.
3. The good news is that in many cases (perhaps all?) if you reboot the router, the malware is cleared and it's reset to it's previous state which would open up that port again.

So what could work for ISPs, and I haven't confirmed this, is to ask customers to perform a reboot on a particular day, and then immediately roll out firmware updates via port 7547/TR-069 to the clean routers.

I'd have to know more about your router model number to answer that, but my guess is that WiFi access control based on MAC address is unrelated to whether or not your router exposes a management port to the outside world.

So as we can see the big issue here is state owned ISP's have a total lack of security and cleary are not updating their routers or telling customers about the issue, or even monitoring their own network activity.

What I really don't get, is: what is the relation between the Zyxel firmware and the vulnerable port? Or to be more specific: is the Zyxel firewall vulnerable or is there running a customized ISP firmware based on the Zyxel firmware? Do the attackers exploit the Zyxel firewall or do they exploit a firmware, which is built by the ISPs?

Wonderful post! Information is power. Do you have any stats on this vulnerability within the US? Just wondering, as we have blacklisted everyone outside the US. Our website does not need global visibility, so we just nuked them all, other than the United States. However, I notice we consistently get hit attempts from a couple of subnets in Chicago and LA, and I was wondering if this could be these routers being compromised. Thanks for your hard work!

Hi everyone, great post. Some people have asked how they can check their home / work routers for this and other open ports. Not sure if I am allowed to post this but a great, free tool that I have used for years is by the owner of Gibson Research. He is trusted the world over as a real guru and does things with machine code that I cant even begin to understand. He has a web service (free) called ShieldsUP! which everyone should use to test any network that has access to the internet. I am not in any way associated with the owner, site or otherwise, I am simply an IT consultant who likes to keep his clients as safe as possible. Hope this helps.

Going through access logs for my Wordpress site recently, I noticed lots of requests to wp-login.php and xmlrpc.php, maybe every 10-20 minutes or with longer pauses (few hours or so). In most cases User-Agent header of those requests is "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1". I started blocking those IPs in my webserver's CPanel, but when I realized there are so many unique IPs with no recurring occurrences, I gave up. Most of them belong to ISPs from the table of compromised routers that you've published. I've also noticed IPs from Belarus (BELTELECOM), Saudi Arabia (Etihad Etisalat - Mobily, Saudi Telecom), UK (Virgin Media), Ireland (Liberty Global Europe, Sky Network Services), Spain (Telefonica de Espana), and more.

No action required. We have already added many of these new IPs to the Premium Wordfence blacklist. We are gradually lowering our filter thresholds and modifying algorithms to include additional IPs that are engaging in these attacks. Just kick back and know that we're on top of this.

No it would not. Unfortunately an attacker who can compromise your home router will also be able to directly access your home workstation or device even if your traffic to the outside Internet is passing through an encrypted VPN tunnel.

Great post. Thanks for the good info. Hopefully the following comments will help people. Sorry, it got a little long but it's good info.

This vindicates my personal policy of blocking confirmed attackers for at least 3 months when I get a chance to review my logs and actually confirm that the suspected attacks (based on firewall rules violations) are actual attacks.

Takeaways for users, in my opinion are the following. If needed, ask a geek friend for help.

01) Put your own home router behind your cable / dsl modem between it and your home network.

If you're really geeky, you could run alternate firmware like DD-WRT, Open-WRT, or Tomato. This is not for the faint of geek heart and instructions are beyond the scope of this post. If not using custom firmware, make sure the router you install has up to date factory firmware.

Using your own router won't prevent malware from getting into the cable modem. But it will help prevent it from breaching into your home network. The following steps won't guarantee that your router cannot become infected, but they will help make it much less likely.

02) Turn off all unneeded features in the router's control panel and, in particular, anything that allows outside access to your inside network.

03) Make sure the DMZ is OFF. DMZ stands for demilitarized zone. The DMZ feature, if on, forwards ALL incoming traffic from outside that is unsolicited (ie attacks) to a specific address on the INSIDE of your network. This is very dangerous. Don't use it.

04) Turn off ALL outside remote administration, be it web based (http, https), or ftp, or telnet, or just a general setting, or whatever.

05) Turn off all "servers" or "services" that expose any router features to the outside world.

06) Turn off UPNP. This stands for Universal Plug And Play. This allows things inside your network (game consoles, javascript apps in your browser) to open holes (ports) in your router's firewall without you knowing it which may let bad things sneak in. If the router's control panel shows any ports have been opened that you didn't specifically ask for, close them. Many routers won't even show you this. If you DO want specific ports open for games and such, you should open them manually and intentionally.

07) You may test your external IP address for open TCP ports within limits benignly using the "Shields UP" web service at GRC (Gibson Research Corp.). I have no financial interest in GRC but I value their services. Use this test only at your home, not in a corporate environment.

Read the information about what the test will do. If you understand and agree, click "Proceed".

There are several tests you can run. You may have to scroll down to see the menu.

First click "GRC's Instant UPNP Exposure Test". This will check if your router responds to UPNP port opening commands from the OUTSIDE world. The result should be a green banner saying it did not respond.

Click back to get back to the menu. Scroll down if necessary.

Click the "File Sharing" button.

This will test for outside access to your PC's hard drive. The result should say "Unable to connect".

Scroll back to the menu. Click the "Common Ports" button.

This will test your external address for common open TCP ports. The desired result is "TruStealth Analysis Passed" with data below showing green lights and all port numbers as Stealth. This means your router did not respond to any queries. It would be like if someone knocks on your front door and you don't answer even if you're home.

Scroll back to the menu. Click the "All Service Ports" button. Scroll down and wait for this to complete.

This will test your external address for open TCP ports 0 - 1055. Again, the desired result is "TruStealth Analysis Passed" with all green lights and all ports shown as Stealth. A closed port is an acceptable result, but that means when the remote computer probed that port number, your router said, "I'm here but go away, I don't want to talk." No response at all is preferable. An open port means that your router or cable modem is "listening" for connection attempts on that port number. You should not see open ports.

Note that none of this has tested the port mentioned in this blog post. Here's how you do that. Note also that these procedures test TCP ports, not UDP ports.

Scroll back down to the menu. Below the buttons, there is a text entry blank. Enter 7547 (the port number discussed in this blog post) into the blank. Click the "User Specified Custom Port Probe" button. This will probe this specific port number.

Again, the desired result is "TruStealth Analysis Passed" with a green light and this port shown as Stealth.

This will give you a pretty good idea if you have any COMMON ports open or if this specific port is open. Note that, for all the ports which your cable modem passes unhindered to your router, you are testing the router. If a port shows up as stealth, it's being blocked either by your ISP (mostly not the case), your cable modem (mostly not the case) or your router (usually the case). If a port shows up as closed or open, meaning there was a response, that response could be coming from your cable modem or your router or possibly the ISP if it's closed.

Note that most ports from 1056 - 65535 for TCP and ALL ports for UDP (also with numbers 0 - 65535) have NOT been tested. You could use something like NMAP to do that, but it has to be done from the outside world. Be careful, if your ISP thinks you're launching an attack on someone, even yourself, you may find yourself disconnected from the net. I have not had a problem running these simple scans on occasion.

The owner of GRC, Steve Gibson, hosts a podcast called Security Now. It's a good mix of consumer / prosumer security info. It is not Wordpress specific though. It is not for security experts, although some listen, but takes info from security experts and makes it available to more average people.

https://www.grc.com/securitynow.htm

https://twit.tv/shows/security-now

Back to the take away points for consumers.

08) Put your IOT things on their own router as described in the "Three Dumb Routers" philosophy.

09) If you hear a security notice through sources such as Security Now or others that your router has a security vulnerability, see if you can get a firmware update from the factory and install it. I personally don't like auto update, since I like to know when new firmware is installed. Installing firmware will often clear the settings, so the router will have to be set up again. I personally like DD-WRT firmware which is pretty solid if you have all its external services turned off. This is beyond most people's comfort level though. The next best thing is up to date factory firmware.

10) Absolutely change your router's default management password. The BEST scenario is a long random (and unmemorable and untypeable) password stored in a password manager. If you need something memorable and typeable, multiple words separated by numbers and / or symbols is best. Write it down in a secure place or use a password manager to save it. Remember, a bad actor could be in your home in the form of a malicious script running in a web page, or someone physically there like contractors, relatives, friends, or kids. They could try to attack your router. That would be an attack from inside your network. If you have the option, make sure your router's control panel times out after you've been logged in for a while but inactive in case you forget to log out.

If you want a memorable and typeable password, you could use this site but don't use "correct horse battery staple" as the password.

http://correcthorsebatterystaple.net/

If you want a good long piece of randomness, you could use this site or the password generator in your password manager.

https://www.grc.com/passwords.htm

Be VERY careful about copying and pasting long passwords into the router's control panel. If it doesn't accept all the characters, you'll have a random length subset of the password that you don't know. If you can set it to let you see the characters, do that. If you get locked out, you'll have to physically reset the router and start over configuring it. Do NOT type confidential passwords into the router when connected by wifi unless you've already set up WPA2 encryption. See below. Connect to the router with a LAN cable initially and turn your wifi off to configure it.

11) For your WIFI password, not the management or control panel password, use a long random string of characters and numbers. The router should be able to accept 63 alphanumeric characters or digits. It may not like symbols though. Set it for WPA2 and AES encryption. Do NOT use WPS or any quick and easy "push button" setup. You should disable WPS and WPS Pin if you have a choice. Save the password somewhere in a non obvious file. Note that, if someone bad is seated at your PC, or steals your PC, you've got bigger problems than whether they can log into your wifi. You should never have to type this password and almost never have to even copy and paste it. If you have a password manager, store it in a secure note or something.

If you need to let your friends log in, use a router with a guest network feature that ONLY connects to the internet. The guests should not be able to access the router's control panel. You can give them a separate more memorable, and typeable password and can conceivably change it when they leave.

Hopefully this will be helpful. I am not affiliated with GRC or Wordfence other than as a customer. But I was inspired to post this in hopes that it will help clear up a somewhat confusing topic of home routers.

Great comment Ron. Lots of great info. Do you have this info posted at a blog some where that I could report and share? Was thinking of just copy/pasting it to my blog but that would not be cool so I wanted to see if you had a alternate source or maybe an infographic published with the flow chart that could be pined and shared via social networks. Shoot me an email.

I think pressure and responsibility should fall on the makers of the routers, like ZyWall, to supply updated firmware for the compromised routers. Government agencies are usually understaffed and underfunded so they probably don't have the time or money to fix these kind of problems.

Thank you very much for this information.
We will keep a close eye on this issue since quite a few ISPs here in Greece provide Zyxel equipment.
I would be very surprised to see that Greek ISPs monitor traffic especially on management ports!
Thanks again for this!
It keeps us and our customers up to date.

You may be able to block it with rules on your router, but it's best to contact your ISP for help or at the very least to let them know that you would like the port closed for security reasons. The idea is to get the message out to ISPs about the danger of this port being open.